The last month of 2006 did not bring any substantial changes to the assortment of viruses found in the email traffic. Although analysis of the results for the entire year will be performed later, we can state that the Warezov worm family won a clear-cut victory in the autumn and winter months.
In December Warezov variants took the three top positions in the rankings, while the traditional change of leader turned into a family affair: Warezov.fb replaced Warezov.gj. We had expected and predicted this change: in December the former leader’s ranking declined sharply as it yielded position to its newer brethren.
The greatest surprise of November was the triumphal return of our old acquaintance, Nyxem.e, to the Top Twenty, straight to the third position. In December the worm surprised us again by going 13 positions down at once. Its old rival, Mytob.c, which also made a return to the sixth position in November, lost little ground to newcomers and remained in the 7th position. Nevertheless, it is now quite clear that the future of both worms (Nyxem.E and Mytob.C), which fought bitter battles for the top position during the first 9 months of the year, is rather bleak: in 2007 they will inevitably leave the Top Twenty.
This is also true of Zafi.b. Although this worm is among the top ten malicious programs this month, it has gone through several cycles appearing and disappearing from the top Twenty and may well leave again, never to return.
At the same time, NetSky.q (the October leader) goes up and down in the top part of the rankings and looks set to create problems for email users for a long time to come, despite the fact that (just think of it!) it was created as far back as 2004! Two more historical worms, LovGate.w and Mytob.t, are about equally ancient.
Among the newcomers, it is worth mentioning Bagle.gt and Exploit.Win32.IMG-WMF.y. Bagle.gt is the first member of its family to become one of the leaders in the virus race in the past several months. This is a very interesting fact: essentially, Bagle and Warezov are direct competitors, which means that we may be witnessing another cyberwar between criminal groups trying to gain access to user computers and data stored on them. Exploit.Win32.IMG-WMF.y belongs to a rare class of malicious programs: the object sent by email is not an executable file containing a worm but an image that contains an exploit for a WMF file handling vulnerability. When the image is accessed, a Trojan program or worm is installed on the user’s computer. This vulnerability was discovered one year ago, in December 2005. In the first week of its existence, the Internet was flooded with hundreds of Trojans that penetrated to computers using this mechanism. Although a year has passed, cybercriminals still successfully exploit this vulnerability.
Other malicious programs made up 11.96% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.
Email-Worm.Win32.Warezov.fb, Email-Worm.Win32.Warezov.hb, Email-Worm.Win32.Bagle.gt, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Agent.b
Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.Warezov.do
Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Zafi.b, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.LovGate.w, Email-Worm.Win32.Nyxem.e,
Email-Worm.Win32.Warezov.dn, Net-Worm.Win32.Mytob.dam, Net-Worm.Win32.Mytob.a, Email-Worm.Win32.NetSky.x